Friday, January 12, 2007

Certified Malware Removal Expert

I read the following in the latest SANS NewsBites (link will work shortly):

Does anyone on your staff do an excellent job of cleaning out PCs that have been infected by spyware and other malicious software. We are just starting development of a new certification (and related training) for Certified Malware Removal Experts and we are looking for a council of 30 people who have done a lot of it to help vet the skills an dknowledge required for the certification exam and classes. Email cmre@sans.org if you have a lot of experience.

This must be the easiest SANS certification of all! The safest way to remove malware is to reinstall from trusted original media (not backups which could be compromised). That doesn't even account for BIOS or other hardware rootkits, but hardly anyone cares about that problem yet.

Hopefully SANS will come to the same conclusion that Microsoft already did and drop this idea.

14 comments:

Anonymous said...

That is just plain sad. A certification on removal of spyware...please don't let this get approved. That's like saying I'm A+ certified.

trytr said...
This comment has been removed by a blog administrator.
reillyb said...

Microsoft's Jesper Johansson also did a excellent job explaining how no tool and no action (short of re-installation and doing things correctly from the start) will adequately recover a compromised system:

http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

cutaway said...

Sir,
I think that you (and the people who have commented before me) are taking the short view of reacting to malware within an environment. There is a lot more to reacting to an infestation than just wiping the system and driving on. There must be a certain amount of incident response involved. You have to determine how the infestation occured so that it does not happen the same system again or to others within your environment. You have to determine if the system contained sensitive information or was connected to any that do. And in some cases it may be necessary to analyze the malware to determine what it was capable of doing. I just recently wrote about this very subject in my post titled When to Initiate Malware Incident Response.

Sure, the end result might be to wipe the system and drive on. But you cannot negate the need for these steps. That said, I am not certain that SANS needs another certification beyond the ones they already have that deal with malware analysis and incident response. But perhaps we should wait until they have a curriculum before we start making assumptions as to the necessity of the training.

Go forth and do good things,
Cutaway

Keydet89 said...

I have to agree that there's much more to this issue than simply flashing and reinstalling the system.

If no root cause analysis (or even simple troubleshooting) is done, then what stops the malware from propogating, or getting in again? It's not always about patches, folks...sometimes is weak or non-existant passwords. As you're sweeping through the infrastructure, merrily cleaning systems, those systems can easily be reinfected by active malware, as you move on to the next one.

Training and knowledge are the key. Managers need to know how to manage incident response, and IR staff needs to have the skills to retrieve and analyze the necessary information from systems under their control. More importantly, they need to have the training and knowledge to (a) ensure that they have the right tools, and (b) ensure that they react the right way.

Richard Bejtlich said...

This is a Certified Malware Removal Expert certification. There is no way for the average admin or security person to be confident that he/she has removed all malware without system reinstallation. Incident response and forensics are different and already covered by the SANS GCFA. If SANS wants to have a malware-specific certification, they should remove the "removal" part of the name.

Chris said...

Funny. When I saw the headline in my RSS reader, I thought "That's odd, Bejtlich doesn't typically do parody in his blog".

This time, I wish you had.

Marcin said...

I wonder what the Best Buy Geek Squad have to say about this new certification.. since all those guys need to know is A+ and insert a CD into "Windows computer."

Andrew said...

I understand the concerns with this certification but the comments did make me think of something: “If we don’t need training on this topic what topics do we need training on?”

What security related topics have not been covered in formal training yet but you feel should be?

I've posted a series of questions, including the above, on my blog (http://www.andrewhay.ca/archives/67).

I'd appreciate any feedback as I'm curious what people are thinking.

Bea said...

I love your blog and have read (a did a project on) your book "The Tao of Network Security Monitoring".

I've tagged you on my blog for the "5 Things You Didn't Know About Me" Blog Tag Game.

The blog link that tagged you is: http://blogs.ittoolbox.com/wireless/networks/archives/tag-im-it-5-things-you-didnt-know-about-me-13929

Bea

Richard Bejtlich said...

Thanks Bea. I've already been tagged and I responded! What did your project on my book involve?

igfire said...
This comment has been removed by a blog administrator.
Bea said...

It was basicly research paper on the concept of NSM and how it differes from your typical network security. I also briefly touched on some of the tools you mentioned.

I would have liked to play with some of the techniques in your book for the paper, but didn't have the time.

I loved the book, especially the detail on how to use the tools you mention in your book to their fullest.

I will eventually play with some of those techniques, down the road.

I looked into Squil a bit, which is pretty cool. I'd never heard of TCL/TK before. Since then I've been working with some TCL. =)

Bea

Richard Bejtlich said...

Bea,

Any chance you could share your paper?

taosecurity [at] gmail [dot] com

Thank you.